Solved

Security issues with Front End Server in a DMZ?

Posted on 2004-03-23
10
383 Views
Last Modified: 2013-12-04
We currently have a Front End/Back End Exchange configuration which resides completely behind a firewall.  It seems we are having to evaluate the option of sticking the FE server out in the DMZ for direct access to POP, IMAP, etc.  

*Currently, all users access the corporate network via VPN for access to Exchange mail.  Performance (speed) and accessibility issues have been expressed by a number of our users when connecting in this manner.

If we were to only to open the secure ports ->
443 - HTTP (SSL)
993 - IMAP4 (SSL)
995 - POP3 (SSL)
...what are the obvious security risks?

 It appears to be a infrastructure design practice preached by MS and just need to be well-informed about any security before implementing.  The FE is NOT a GC and has no mailbox store mounted...

thanks for any insight!
0
Comment
Question by:davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
10 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10658902
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10658924
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 125 total points
ID: 10658964
Improving the Security of PST Files
http://support.microsoft.com/default.aspx?scid=kb;en-us;143241

Downloading and Using the Security Configuration Manager Tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245216

Stress Tools to Test Your Web Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure
http://support.microsoft.com/default.aspx?scid=kb;en-us;324892

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp

Maximum Windows 2000 Security
http://www.bookpool.com/.x/rmpdj26gor/sm/0672319659


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:davis
ID: 10660267
Lots of good resources here - thanks!

To quote an excerpt from your 2nd posted link:
"Just about any firewall will allow packet and port filtering in order to protect your network and Exchange environment. While this is a good start for protecting your servers, it falls short of complete protection since you have to open ports to allow access to the data in your private network. For example, port 25 must be opened to allow for SMTP traffic, port 80 for HTTP."

...with the FE in a perimeter zone (between two firewalls), as shown in the diagram, is the internal network still at risk?  Unclear what can be at risk - the FE, the BE (back-end), or both.

thanks for any clarification!!
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661444
I did'nt stydy it all, but the solution is here:

Microsoft Exchange 2000 Server Front-End and Back-End Topology
 Advantages of a Front-End and Back-End Server Environment
 How Front-end and Back-end Topology Works
 Deployment Considerations
 Scenarios
 Configuring a Front-End Server
 Configuring a Back-End Server
 Configuring Firewalls
 Front-end and Back-end Topology Checklist
 Front-end and Back-end Topology Troubleshooting Steps
 Additional Resources
http://www.microsoft.com/technet/prodtechnol/exchange/2000/maintain/e2kfront.mspx
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661452
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661479
Remember to have a different/difficult password for the administrator on the FE server, than on the BE and the rest of your servers, and setup auditing on FE

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html
0
 
LVL 1

Author Comment

by:davis
ID: 10661513
I have used the 'maintain'article quite a bit  - kind of a bible.

I think I found the answer in the article you posted earlier : http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/e2ksec04.mspx

Also found elsewhere, it stated :
"For security reasons, you don't want to install a front-end server in a DMZ.
Why?  Because you have to open up a whole stack of ports between the
networks.  A much more secure solution is to have the FE server on the
internal network, with ISA Server in the DMZ publishing OWA."

I would imagine it would be sugested to run ISA or some other firewall that will do application proxy.  Something to scan the traffic on IMAP, SMTP, POP before passing on to the mailserver.

Thanks for your references!


0
 
LVL 1

Author Comment

by:davis
ID: 10661529
OOps - meant to Accept the one just above the one I actually accepted.

I found it much more concise and useful
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661829
:o) Glad I could help you - thank you for the points
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question